Link Controller with IPsec VPN

Question

Has anyone got a configuration of a Link Controller with two ISPs and a Check Point or Cisco IPsec VPN working? If so can you describe your setup? 
&nbsp;  
&nbsp; I'm working along the lines of a standard VS defined with the address of the remote VPN gateway, address and port translation disabled and default resource of the default gateway pool. 
&nbsp;  
&nbsp; I will create a snatpool with the public facing address of my local VPN public address (i.e. the Check Point firewall).  
&nbsp;  
&nbsp; My question here is how can I get all the traffic to stick to one link and only failover when the primary link fails? I'm considering using priority activation - does this sound like it will work? 
&nbsp;

bruce_p_11387 · Answer

I know this may sound useless, but I have IPSec VPN tunnels working through the LC's, but essentially I had to define a VIP for each tunnel and then it uses a resource of only one link, specifically, the link whose addressing matches the public address of the firewall. SNAT and any other address translation are turned off. It's a forwarding VIP and you define the service port to use all ports as well as allow it to use all protocols.  
&nbsp;    
&nbsp;  It works, but I have no failover. I was wondering how you get a tunnel to failover to the other link.   
&nbsp;    &nbsp;

dennypayne · Answer

As I discussed in this thread (Click here) I have only been able to get what bporter suggests to work.  Unless the IPsec VPN can handle traversing a NAT, then there is no way to switch links with it. 
&nbsp;  
&nbsp; Denny

jackofalltrades · Answer

IPSec can transverse a NAT. There is an RFC for it and most vendors support it. I had to write an iRule to get IPSEC to work reliably with LC.

wwalla_99196 · Answer

Keith- 
&nbsp; Did you ever get this to work correctly? 
&nbsp; Thanks! 
&nbsp; Walla

laudec_55181 · Answer

Hi, I was wondering if you could share the details of this config that you did all those years ago :) I have to do something similar, and any help would be appreciated.&nbsp;&nbsp;

Forum Discussion

Link Controller with IPsec VPN

5 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

JWT authorization with NGINX Ingress Controller

Anchor Link Redirect

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

Distributed caching of authentication requests with NGINX Ingress Controller